deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

clear redirect files

Browse Source
This commit is contained in:
jdeckerMS 2017-01-23 12:51:41 -08:00
parent 0bc7602df8
commit 5dc8876b90
7 changed files with 0 additions and 612 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md
View File

@ -17,74 +17,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
- Windows 10
- Windows 10 Mobile
In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
![Sign in to a device](images/phone-signin-menu.png)
> [!NOTE]
> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.
## Prerequisites
- Both phone and PC must be running Windows 10, version 1607.
- The PC must be running Windows 10 Pro, Enterprise, or Education
- Both phone and PC must have Bluetooth.
- The **Microsoft Authenticator** app must be installed on the phone.
- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
- The phone must be joined to Azure AD or have a work account added.
- The VPN configuration profile must use certificate-based authentication.
## Set policies
To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
- Enable **Use Windows Hello for Business**
- Enable **Phone Sign-in**
- MDM:
- Set **UsePassportForWork** to **True**
- Set **Remote\UseRemotePassport** to **True**
## Configure VPN
To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
## Get the app
If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
[Tell people how to sign in using their phone.](prepare-people-to-use-microsoft-passport.md#bmk-remote)
## Related topics
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 
 

41
windows/keep-secure/microsoft-passport-and-password-changes.md
View File

@ -11,44 +11,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
---
# Windows Hello and password changes
**Applies to**
- Windows 10
- Windows 10 Mobile
When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
## Example
Let's suppose that you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account.
Because you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part.
Suppose instead that you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the account credentials that Hello on **Device A** knows will be outdated.
> **Note:**  This example also applies to an Active Directory account when [Windows Hello for Business is not implemented](implement-microsoft-passport-in-your-organization.md).
 
## How to update Hello after you change your password on another device
1. When you try to sign in using your PIN or biometric, you will see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password, and then you can sign in with your PIN.**
2. Click **OK.**
3. Click **Sign-in options**.
4. Click the **Password** button.
5. Sign in with new password.
6. The next time that you sign in, you can select **Sign-in options** and then select **PIN** to resume using your PIN.
## Related topics
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
 

224
windows/keep-secure/microsoft-passport-errors-during-pin-creation.md
View File

@ -13,227 +13,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
# Windows Hello errors during PIN creation
**Applies to**
- Windows 10
- Windows 10 Mobile
When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
## Where is the error code?
The following image shows an example of an error during **Create a PIN**.
![](images/pinerror.png)
## Error mitigations
When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps.
1. Try to create the PIN again. Some errors are transient and resolve themselves.
2. Sign out, sign in, and try to create the PIN again.
3. Reboot the device and then try to create the PIN again.
4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** > **System** > **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](https://go.microsoft.com/fwlink/p/?LinkId=715697).
5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](https://go.microsoft.com/fwlink/p/?LinkId=715697).
If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
<table>
<thead>
<tr class="header">
<th align="left">Hex</th>
<th align="left">Cause</th>
<th align="left">Mitigation</th>
</tr>
</thead>
<tbody>
<tr class="even">
<td align="left">0x801C044D</td>
<td align="left">Authorization token does not contain device ID</td>
<td align="left">Unjoin the device from Azure AD and rejoin</td>
</tr>
<tr class="odd">
<td align="left">0x80090036</td>
<td align="left">User cancelled an interactive dialog</td>
<td align="left">User will be asked to try again</td>
</tr>
<tr class="even">
<td align="left">0x80090011</td>
<td align="left">The container or key was not found</td>
<td align="left">Unjoin the device from Azure AD and rejoin</td>
</tr>
<tr class="odd">
<td align="left">0x8009000F</td>
<td align="left">The container or key already exists</td>
<td align="left">Unjoin the device from Azure AD and rejoin</td>
</tr>
<tr class="even">
<td align="left">0x8009002A</td>
<td align="left">NTE_NO_MEMORY</td>
<td align="left">Close programs which are taking up memory and try again.</td>
</tr>
<tr class="odd">
<td align="left">0x80090005</td>
<td align="left">NTE_BAD_DATA</td>
<td align="left">Unjoin the device from Azure AD and rejoin</td>
</tr><tr class="even">
<td align="left">0x80090029</td>
<td align="left">TPM is not set up.</td>
<td align="left">Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. </td>
</tr>
<tr class="even">
<td align="left">0x80090031</td>
<td align="left">NTE_AUTHENTICATION_IGNORED</td>
<td align="left">Reboot the device. If the error occurs again after rebooting, [reset the TPM]( https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650)</td>
</tr>
<tr class="odd">
<td align="left">0x80090035</td>
<td align="left">Policy requires TPM and the device does not have TPM.</td>
<td align="left">Change the Passport policy to not require a TPM.</td>
</tr>
<tr class="even">
<td align="left">0x801C0003</td>
<td align="left">User is not authorized to enroll</td>
<td align="left">Check if the user has permission to perform the operation.</td>
</tr>
<tr class="odd">
<td align="left">0x801C000E</td>
<td align="left">Registration quota reached</td>
<td align="left"><p>Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933).</p></td>
</tr>
<tr class="even">
<td align="left">0x801C000F</td>
<td align="left">Operation successful but the device requires a reboot</td>
<td align="left">Reboot the device.</td>
</tr>
<tr class="odd">
<td align="left">0x801C0010</td>
<td align="left">The AIK certificate is not valid or trusted</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="even">
<td align="left">0x801C0011</td>
<td align="left">The attestation statement of the transport key is invalid</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="odd">
<td align="left">0x801C0012</td>
<td align="left">Discovery request is not in a valid format</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="even">
<td align="left">0x801C0015</td>
<td align="left">The device is required to be joined to an Active Directory domain</td>
<td align="left">Join the device to an Active Directory domain.</td>
</tr>
<tr class="odd">
<td align="left">0x801C0016</td>
<td align="left">The federation provider configuration is empty</td>
<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty.</td>
</tr>
<tr class="even">
<td align="left">0x801C0017</td>
<td align="left">The federation provider domain is empty</td>
<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty.</td>
</tr>
<tr class="odd">
<td align="left">0x801C0018</td>
<td align="left">The federation provider client configuration URL is empty</td>
<td align="left">Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL.</td>
</tr>
<tr class="even">
<td align="left">0x801C03E9</td>
<td align="left">Server response message is invalid</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="odd">
<td align="left">0x801C03EA</td>
<td align="left">Server failed to authorize user or device.</td>
<td align="left">Check if the token is valid and user has permission to register Passport keys.</td>
</tr>
<tr class="even">
<td align="left">0x801C03EB</td>
<td align="left">Server response http status is not valid</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="odd">
<td align="left">0x801C03EC</td>
<td align="left">Unhandled exception from server.</td>
<td align="left">sign out and then sign in again.</td>
</tr>
<tr class="even">
<td align="left">0x801C03ED</td>
<td align="left"><p>Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed</p>
<p>-or-</p>
<p>Token was not found in the Authorization header</p>
<p>-or-</p>
<p>Failed to read one or more objects</p>
<p>-or-</p><p>The request sent to the server was invalid.</p></td>
<td align="left">Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.</td>
</tr>
<tr class="odd">
<td align="left">0x801C03EE</td>
<td align="left">Attestation failed</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="even">
<td align="left">0x801C03EF</td>
<td align="left">The AIK certificate is no longer valid</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
<tr class="odd">
<td align="left">0x801C044D</td>
<td align="left">Unable to obtain user token</td>
<td align="left">Sign out and then sign in again. Check network and credentials.</td>
</tr>
<tr class="even">
<td align="left">0x801C044E</td>
<td align="left">Failed to receive user creds input</td>
<td align="left">Sign out and then sign in again.</td>
</tr>
</tbody>
</table>
 
## Errors with unknown mitigation
For errors listed in this table, contact Microsoft Support for assistance.
| Hex | Cause |
|-------------|-------------------------------------------------------------------------------------------------------|
| 0x80072f0c | Unknown |
| 0x80070057 | Invalid parameter or argument is passed |
| 0x80090027 | Caller provided wrong parameter. If third-party code receives this error they must change their code. |
| 0x8009002D | NTE\_INTERNAL\_ERROR |
| 0x80090020 | NTE\_FAIL |
| 0x801C0001 | ADRS server response is not in valid format |
| 0x801C0002 | Server failed to authenticate the user |
| 0x801C0006 | Unhandled exception from server |
| 0x801C000C | Discovery failed |
| 0x801C001B | The device certificate is not found |
| 0x801C000B | Redirection is needed and redirected location is not a well known server |
| 0x801C0019 | The federation provider client configuration is empty |
| 0x801C001A | The DRS endpoint in the federation provider client configuration is empty |
| 0x801C0013 | Tenant ID is not found in the token |
| 0x801C0014 | User SID is not found in the token |
| 0x801C03F1 | There is no UPN in the token |
| 0x801C03F0 | There is no key registered for the user |
| 0x801C03F1 | There is no UPN in the token |
| 0x801C044C | There is no core window for the current thread |
 
## Related topics
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)

39
windows/keep-secure/passport-event-300.md
View File

@ -13,42 +13,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
# Event ID 300 - Windows Hello successfully created
**Applies to**
- Windows 10
- Windows 10 Mobile
This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
## Event details
| | |
|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Product:** | Windows 10 operating system |
| **ID:** | 300 |
| **Source:** | Microsoft Azure Device Registration Service |
| **Version:** | 10 |
| **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.
Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} |
 
## Resolve
This is a normal condition. No further action is required.
## Related topics
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)

99
windows/keep-secure/prepare-people-to-use-microsoft-passport.md
View File

@ -13,104 +13,5 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
# Prepare people to use Windows Hello
**Applies to**
- Windows 10
- Windows 10 Mobile
When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
After enrollment in Hello, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. Their gesture is only valid on the enrolled device.
Although the organization may require users to change their Active Directory or Azure Active Directory (AD) account password at regular intervals, changes to their passwords have no effect on Hello.
People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello.
## On devices owned by the organization
When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
![who owns this pc](images/corpown.png)
Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
![choose how you'll connect](images/connect.png)
They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
## On personal devices
People who want to access work resources on their personal devices can add a work or school account in **Settings** &gt; **Accounts** &gt; **Work or school**, and then sign in with work credentials. The person selects the method for receiving the verification code, such as text message or email. The verification code is sent and the person then enters the verification code. After verification, the person enters and confirms new PIN. The person can access any token-based resource using this device without being asked for credentials.
People can go to **Settings** &gt; **Accounts** &gt; **Work or school**, select the work account, and then select **Unjoin** to remove the account from their device.
## Using Windows Hello and biometrics
If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC or VPN
If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
> [!NOTE]
> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
**Prerequisites:**
- Both phone and PC must be running Windows 10, version 1607.
- The PC must be running Windows 10 Pro, Enterprise, or Education
- Both phone and PC must have Bluetooth.
- The **Microsoft Authenticator** app must be installed on the phone.
- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
- The phone must be joined to Azure AD or have a work account added.
- The VPN configuration profile must use certificate-based authentication.
**Pair the PC and phone**
1. On the PC, go to **Settings** &gt; **Devices** &gt; **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
![bluetooth pairing](images/btpair.png)
2. On the phone, go to **Settings** &gt; **Devices** &gt; **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**.
![bluetooth pairing passcode](images/bt-passcode.png)
3. On the PC, tap **Yes**.
**Sign in to PC using the phone**
1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
> **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
![select a device](images/phone-signin-device-select.png)
 
2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
**Connect to VPN**
You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect.
## Related topics
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
[Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
[Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
[Windows Hello and password changes](microsoft-passport-and-password-changes.md)
[Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
[Event ID 300 - Windows Hello successfully created](passport-event-300.md)
[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)

61
windows/keep-secure/why-a-pin-is-better-than-a-password.md
View File

@ -13,64 +13,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
# Why a PIN is better than a password
**Applies to**
- Windows 10
- Windows 10 Mobile
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
## PIN is tied to the device
One important difference between a password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. That PIN is useless to anyone without that specific hardware. Someone who steals your password can sign in to your account from anywhere, but if they steal your PIN, they'd have to steal your physical device too!
Even you can't use that PIN anywhere except on that specific device. If you want to sign in on multiple devices, you have to set up Hello on each device.
## PIN is local to the device
A password is transmitted to the server -- it can be intercepted in transmission or stolen from a server. A PIN is local to the device -- it isn't transmitted anywhere and it isn't stored on the server.
When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server.
> **Note:**  For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928).
 
## PIN is backed by hardware
The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetrical key pairs, users credentials cant be stolen in cases where the identity provider or websites the user accesses have been compromised.
The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. After too many incorrect guesses, the device is locked.
## PIN can be complex
The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration, and history. Although we generally think of a PIN as a simple four-digit code, administrators can set [policies](implement-microsoft-passport-in-your-organization.md) for managed devices to require a PIN complexity similar to a password. You can require or block: special characters, uppercase characters, lowercase characters, and digits.
## What if someone steals the laptop or phone?
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the users biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device.
You can provide additional protection for laptops that don't have TPM by enablng BitLocker and setting a policy to limit failed sign-ins.
**Configure BitLocker without TPM**
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
**Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **BitLocker Drive Encryption** &gt; **Operating System Drives** &gt; **Require additional authentication at startup**
2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.**
3. Go to Control Panel &gt; **System and Security** &gt; **BitLocker Drive Encryption** and select the operating system drive to protect.
**Set account lockout threshold**
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
**Computer Configuration** &gt;**Windows Settings** ?**Security Settings** &gt;**Account Policies** &gt; **Account Lockout Policy** &gt; **Account lockout threshold**
2. Set the number of invalid logon attempts to allow, and then click OK.
## Why do you need a PIN to use biometrics?
Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you cant use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you the same level of protection as Hello.
## Related topics
[Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
[Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
 

77
windows/keep-secure/windows-hello-in-enterprise.md
View File

@ -12,80 +12,3 @@ redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hell
---
# Windows Hello biometrics in the enterprise
**Applies to:**
- Windows 10
Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
> **Note:** When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Because we realize your employees are going to want to use this new technology in your enterprise, weve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
##How does Windows Hello work?
Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesnt roam among devices, isnt shared with a server, and cant easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
## Why should I let my employees use Windows Hello?
Windows Hello provides many benefits, including:
- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, its much more difficult to gain access without the employees knowledge.
- Employees get a simple authentication method (backed up with a PIN) thats always with them, so theres nothing to lose. No more forgetting passwords!
- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) topic.
## Where is Microsoft Hello data stored?
The biometric data used to support Windows Hello is stored on the local device only. It doesnt roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still cant be easily converted to a form that could be recognized by the biometric sensor.
## Has Microsoft set any device requirements for Windows Hello?
Weve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
### Fingerprint sensor requirements
To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employees unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional).
**Acceptable performance range for small to large size touch sensors**
- False Accept Rate (FAR): &lt;0.001 0.002%
- False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
- Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
**Acceptable performance range for swipe sensors**
- False Accept Rate (FAR): &lt;0.002%
- False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
- Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
### Facial recognition sensors
To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employees facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
- False Accept Rate (FAR): &lt;0.001
- False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
- Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
## Related topics
- [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
- [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
- [Microsoft Passport guide](microsoft-passport-guide.md)
- [Prepare people to use Windows Hello for Work](prepare-people-to-use-microsoft-passport.md)
- [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219)